Fielding IoT vulnerabilities

Prolificity in technology is staggering. While companies look at keeping pace with technology, policymakers find Moore’s law too fast.

Hrishikesh Barua

Director of engineering, Imaginea

It takes 4-5 years to grant a patent, but the underlying technology that gets patented becomes obsolete in the same 4-5 years. Regulatory lags are creating vulnerabilities that have deep implications for customers, a case in point being IoT.

IoT has become a raging term in short notice. It is not easy to draw clear boundaries as to whether a device can be grouped under it or not. It is easier, however, to summarize the state of security for such devices because it is either non-existent or exists as an afterthought.

“It’s time we invented a “light-year” equivalent for tech regulations. Current regulatory speeds are clearly inadequate to service the speed of technology change.”

Last year, Mirai- a software written in C and Go that self propagated to almost 1 billion cheap internet-connected devices to launch one of the largest DDoS attacks in history. The devices it infected were unsecured and were spread too wide geographically for any single entity to control or fix. While vendors tout internet enablement as a futuristic feature they also have a mandate to keep them secure. Internet enablement can’t be done for the heck of it. It might be necessary for CCTVs with remote monitoring, but does not serve any immediate purpose in light bulbs, electric kettles and rice cookers yet, except for catering to the swagger needs of early-adopters.

Economics are good and unregulated: Network-enablement in devices has become cheap due to the drop in component prices. Policies don’t mandate efforts to ensure security in these devices apart from the simple password mandates that are mostly ‘1234’ and easily guessable by anyone including hackers. The lack of security expertise amongst manufacturers of such low-cost devices contributes to the problem. They often have no way of pushing a security patch to a device once it’s deployed. It’s an install-and-forget model for both the maker and the end user.

Standards enforcement is on a self realisation trip: As early as 2015 the FBI had issued a public service announcement about the threats posed by vulnerable IoT devices. Organizations focused on this issue have also existed for a while. No strong measures were visible at that time. Now faced with a growing threat, government bodies like NIST, DHS, NTIA and the FTC have all recently announced initiatives to combat this menace. In the wake of the Mirai attacks, this seems to have become an area of focus. Industry and community bodies like OWASP, GSMA, IoT Cybersecurity Alliance, Smart Card Alliance etc have come up with their own guidelines and best practices. Too many competing standards are diluting standardisation efforts.

It might be a while before we see secure IoT devices out-of-the-box. Existing deployed devices will continue to remain vulnerable and the cost of ignoring security will seem paltry. For technologies to prosper, responsible and forward thinking vendors need to act as the bridge between slow policy making and rapid technology change. IoT is no exception.